dkim-milter-discuss

Thanks to John Dickinson, a patch has been provided which adds support for
DNSSEC to libdkim. This will appear in v2.8.0 of the filter which I'm
hoping to put into public beta as early as next week.
This will necessarily create a couple of new configuration options since
the DNSSEC data may have an impact in terms of local policy.
I was thinking about adding an authentication method to the
Authentication-Results: draft called something like "dkim-sec"
representing the DKIM result if the key/policy records were secured with
DNSSEC, but that draft is on its way to publication so I don't want to
make any changes to it now. So until it's appropriate to publish an
extension to it, we're left with adding a parenthetical comment to the
Authentication-Results: header field which reflects the DNSSEC result, or
changing the actual result based on key/policy security (or both). I plan
to do the comments regardless, but I'm thinking about how to do the other.
The result for any DNSSEC-aware query basically comes down to one of these
four:
- evaluation not completed ("unknown")
- signer not using DNSSEC ("insecure")
- signer using DNSSEC, successful ("secure")
- signer using DNSSEC, unsuccessful ("bogus")
Therefore, I believe we need four new configuration settings. In
particular (with invented names so far):
InsecureKey
- specifies what to do with insecure keys
- possible values:
- ignore (no action; default)
- neutral (degrade a "pass" to "neutral")
- fail (degrade a "pass" to "fail")
BogusKey
- specifies what to do with bogus keys
- possible values:
- ignore
- neutral
- fail (default)
InsecureADSP
- specifies what to do with insecure keys
- possible values:
- apply (default)
- ignore
BogusADSP
- specifies what to do with bogus ADSP records
- possible values:
- apply
- ignore (default)
Opinions welcome!
-MSK

Community

Help

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

I agree to receive quotes, newsletters and other information from sourceforge.net and its partners regarding IT services and products. I understand that I can withdraw my consent at any time. Please refer to our Privacy Policy or Contact Us for more details